diff options
-rw-r--r-- | include/my_crypt.h | 53 | ||||
-rw-r--r-- | mysys_ssl/my_aes.cc | 530 | ||||
-rw-r--r-- | mysys_ssl/my_crypt.cc | 125 | ||||
-rw-r--r-- | storage/innobase/fil/fil0crypt.cc | 1 | ||||
-rw-r--r-- | storage/xtradb/fil/fil0crypt.cc | 1 |
5 files changed, 140 insertions, 570 deletions
diff --git a/include/my_crypt.h b/include/my_crypt.h index ea095e11fa9..db25b1f37af 100644 --- a/include/my_crypt.h +++ b/include/my_crypt.h @@ -1,3 +1,20 @@ +/* + Copyright (c) 2014 Google Inc. + Copyright (c) 2014, 2015 MariaDB Corporation + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + // TODO: Add Windows support #ifndef MYSYS_MY_CRYPT_H_ @@ -12,24 +29,38 @@ Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length, uchar* dest, uint32* dest_length, const unsigned char* key, uint8 key_length, const unsigned char* iv, uint8 iv_length, - uint noPadding); + uint no_padding); Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length, uchar* dest, uint32* dest_length, const unsigned char* key, uint8 key_length, const unsigned char* iv, uint8 iv_length, - uint noPadding); -C_MODE_END + uint no_padding); + +Crypt_result my_aes_encrypt_cbc(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const unsigned char* key, uint8 key_length, + const unsigned char* iv, uint8 iv_length, + uint no_padding); + +Crypt_result my_aes_decrypt_cbc(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const unsigned char* key, uint8 key_length, + const unsigned char* iv, uint8 iv_length, + uint no_padding); -Crypt_result EncryptAes128Ctr(const uchar* key, - const uchar* iv, int iv_size, - const uchar* plaintext, int plaintext_size, - uchar* ciphertext, int* ciphertext_used); +Crypt_result my_aes_encrypt_ecb(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const unsigned char* key, uint8 key_length, + const unsigned char* iv, uint8 iv_length, + uint no_padding); -Crypt_result DecryptAes128Ctr(const uchar* key, - const uchar* iv, int iv_size, - const uchar* ciphertext, int ciphertext_size, - uchar* plaintext, int* plaintext_used); +Crypt_result my_aes_decrypt_ecb(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const unsigned char* key, uint8 key_length, + const unsigned char* iv, uint8 iv_length, + uint no_padding); +C_MODE_END #endif /* !defined(HAVE_YASSL) && defined(HAVE_OPENSSL) */ diff --git a/mysys_ssl/my_aes.cc b/mysys_ssl/my_aes.cc index cd28d7ed49f..0a81cef9ab1 100644 --- a/mysys_ssl/my_aes.cc +++ b/mysys_ssl/my_aes.cc @@ -101,536 +101,6 @@ static int my_aes_create_key(const char *key, int key_length, uint8 *rkey) } /** - Crypt buffer with AES CBC encryption algorithm. - - SYNOPSIS - my_aes_encrypt_cbc() - @param source [in] Pointer to data for encryption - @param source_length [in] Size of encryption data - @param dest [out] Buffer to place encrypted data (must be large enough) - @param dest_length [out] Pointer to size of encrypted data - @param key [in] Key to be used for encryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set to true, no padding is used. if the input length is not a - multiple of the AES block size, trailing bytes are only copied to destination buffer. - This allows currently the same interface for CBC, ECB and CTR encryption. - @return - != 0 error - 0 no error -*/ - -static int my_aes_encrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - uint8 remaining_bytes = (noPadding == 0) ? 0 : source_length % MY_AES_BLOCK_SIZE; - source_length = source_length - remaining_bytes; - -#ifdef HAVE_YASSL - TaoCrypt::AES_CBC_Encryption enc; - /* 128 bit block used for padding */ - uint8 block[MY_AES_BLOCK_SIZE]; - int num_blocks; /* number of complete blocks */ - int i; - switch(key_length) { - case 16: - break; - case 24: - break; - case 32: - break; - default: - return AES_BAD_KEYSIZE; - } - - enc.SetKey((const TaoCrypt::byte *) key, key_length, (const TaoCrypt::byte *) iv); - - num_blocks = source_length / MY_AES_BLOCK_SIZE; - - for (i = num_blocks; i > 0; i--) /* Encode complete blocks */ - { - enc.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - source += MY_AES_BLOCK_SIZE; - dest += MY_AES_BLOCK_SIZE; - } - - if (noPadding) { - if (remaining_bytes!=0) { - /* Note that we moved the original pointers above */ - memcpy(dest, source, remaining_bytes); - } - *dest_length = MY_AES_BLOCK_SIZE * (num_blocks) + remaining_bytes; - return AES_OK; - } - - /* Encode the rest. We always have incomplete block */ - char pad_len = MY_AES_BLOCK_SIZE - (source_length - - MY_AES_BLOCK_SIZE * num_blocks); - memcpy(block, source, 16 - pad_len); - memset(block + MY_AES_BLOCK_SIZE - pad_len, pad_len, pad_len); - - enc.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) block, - MY_AES_BLOCK_SIZE); - - *dest_length = MY_AES_BLOCK_SIZE * (num_blocks + 1); - return AES_OK; -#elif defined(HAVE_OPENSSL) - MyCipherCtx ctx; - int u_len, f_len; - /* The real key to be used for encryption */ - const EVP_CIPHER* cipher; - switch(key_length) { - case 16: - cipher = EVP_aes_128_cbc(); - break; - case 24: - cipher = EVP_aes_192_cbc(); - break; - case 32: - cipher = EVP_aes_256_cbc(); - break; - default: - return AES_BAD_KEYSIZE; - } - //Initialize Encryption Engine here, default software Engine is default - ENGINE *engine = NULL; - - if (! EVP_EncryptInit_ex(&ctx.ctx, cipher, engine, key, iv)) - return AES_BAD_DATA; /* Error */ - if (noPadding) { - EVP_CIPHER_CTX_set_padding(&ctx.ctx, 0); - } - EVP_CIPHER_CTX_key_length(&ctx.ctx); - OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx.ctx) == key_length); - OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx.ctx) == iv_length); - OPENSSL_assert(EVP_CIPHER_CTX_block_size(&ctx.ctx) == 16); - if (! EVP_EncryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len, - (unsigned const char *) source, source_length)) - return AES_BAD_DATA; /* Error */ - if (! EVP_EncryptFinal_ex(&ctx.ctx, (unsigned char *) dest + u_len, &f_len)) - return AES_BAD_DATA; /* Error */ - - if (remaining_bytes!=0) { - memcpy(dest + source_length, source + source_length, remaining_bytes); - } - *dest_length = (unsigned long int) (u_len + f_len + remaining_bytes); - - return AES_OK; -#else - /* currently Open SSL is required */ - return AES_BAD_DATA; -#endif -} - - -/** - Crypt buffer with AES ECB encryption algorithm. - - SYNOPSIS - my_aes_encrypt_ecb() - @param source [in] Pointer to data for encryption - @param source_length [in] Size of encryption data - @param dest [out] Buffer to place encrypted data (must be large enough) - @param dest_length [out] Pointer to size of encrypted data - @param key [in] Key to be used for encryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set to true, no padding is used. if the input length is not a - multiple of the AES block size, trailing bytes are only copied to destination buffer. - This allows currently the same interface for CBC, ECB and CTR encryption. - @return - != 0 error - 0 no error -*/ - -static int my_aes_encrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - uint8 remaining_bytes = (noPadding == 0) ? 0 : source_length % MY_AES_BLOCK_SIZE; - source_length = source_length - remaining_bytes; - -#ifdef HAVE_YASSL - TaoCrypt::AES_ECB_Encryption enc; - /* 128 bit block used for padding */ - uint8 block[MY_AES_BLOCK_SIZE]; - int num_blocks; /* number of complete blocks */ - int i; - switch(key_length) { - case 16: - break; - case 24: - break; - case 32: - break; - default: - return AES_BAD_KEYSIZE; - } - - enc.SetKey((const TaoCrypt::byte *) key, key_length, (const TaoCrypt::byte *) iv); - - num_blocks = source_length / MY_AES_BLOCK_SIZE; - - for (i = num_blocks; i > 0; i--) /* Encode complete blocks */ - { - enc.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - source += MY_AES_BLOCK_SIZE; - dest += MY_AES_BLOCK_SIZE; - } - - if (noPadding) { - if (remaining_bytes!=0) { - /* Note that we moved the original pointers above */ - memcpy(dest, source, remaining_bytes); - } - *dest_length = MY_AES_BLOCK_SIZE * (num_blocks) + remaining_bytes; - return AES_OK; - } - - /* Encode the rest. We always have incomplete block */ - char pad_len = MY_AES_BLOCK_SIZE - (source_length - - MY_AES_BLOCK_SIZE * num_blocks); - memcpy(block, source, 16 - pad_len); - memset(block + MY_AES_BLOCK_SIZE - pad_len, pad_len, pad_len); - - enc.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) block, - MY_AES_BLOCK_SIZE); - - *dest_length = MY_AES_BLOCK_SIZE * (num_blocks + 1); - return AES_OK; -#elif defined(HAVE_OPENSSL) - MyCipherCtx ctx; - int u_len, f_len; - /* The real key to be used for encryption */ - const EVP_CIPHER* cipher; - switch(key_length) { - case 16: - cipher = EVP_aes_128_ecb(); - break; - case 24: - cipher = EVP_aes_192_ecb(); - break; - case 32: - cipher = EVP_aes_256_ecb(); - break; - default: - return AES_BAD_KEYSIZE; - } - //Initialize Encryption Engine here, default software Engine is default - ENGINE *engine = NULL; - - if (! EVP_EncryptInit_ex(&ctx.ctx, cipher, engine, key, iv)) - return AES_BAD_DATA; /* Error */ - if (noPadding) { - EVP_CIPHER_CTX_set_padding(&ctx.ctx, 0); - } - EVP_CIPHER_CTX_key_length(&ctx.ctx); - OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx.ctx) == key_length); - // ECB does not use IV - OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx.ctx) == 0); - OPENSSL_assert(EVP_CIPHER_CTX_block_size(&ctx.ctx) == 16); - if (! EVP_EncryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len, - (unsigned const char *) source, source_length)) - return AES_BAD_DATA; /* Error */ - if (! EVP_EncryptFinal_ex(&ctx.ctx, (unsigned char *) dest + u_len, &f_len)) - return AES_BAD_DATA; /* Error */ - - if (remaining_bytes!=0) - memcpy(dest + source_length, source + source_length, remaining_bytes); - - *dest_length = (unsigned long int) (u_len + f_len + remaining_bytes); - - return AES_OK; -#else - /* currently Open SSL is required */ - return AES_BAD_DATA; -#endif -} - - - -/** - AES decryption - CBC mode - - SYNOPSIS - my_aes_decrypt_cbc() - @param source [in] Pointer to data to decrypt - @param source_length [in] Size of data - @param dest [out] Buffer to place decrypted data (must be large enough) - @param dest_length [out] Pointer to size of decrypted data - @param key [in] Key to be used for decryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set to true, no padding is used. if the input length is not a - multiple of the AES block size, trailing bytes are only copied to destination buffer. - This allows currently the same interface for CBC, ECB and CTR encryption. - - @return - != 0 error - 0 no error -*/ - -static int my_aes_decrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32 *dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - uint8 remaining_bytes = (noPadding == 0) ? 0 : source_length % MY_AES_BLOCK_SIZE; - source_length = source_length - remaining_bytes; - - -#ifdef HAVE_YASSL - TaoCrypt::AES_CBC_Decryption dec; - /* 128 bit block used for padding */ - uint8 block[MY_AES_BLOCK_SIZE]; - uint num_blocks; /* Number of complete blocks */ - int i; - switch(key_length) { - case 16: - break; - case 24: - break; - case 32: - break; - default: - return AES_BAD_KEYSIZE; - } - - dec.SetKey((const TaoCrypt::byte *) key, key_length, iv); - - num_blocks = source_length / MY_AES_BLOCK_SIZE; - - if ((source_length != num_blocks * MY_AES_BLOCK_SIZE) || num_blocks == 0 ) - /* Input size has to be even and at least one block */ - return AES_BAD_DATA; - - /* Decode all but last blocks */ - for (i = num_blocks - 1; i > 0; i--) - { - dec.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - source += MY_AES_BLOCK_SIZE; - dest += MY_AES_BLOCK_SIZE; - } - - dec.Process((TaoCrypt::byte *) block, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - - if (noPadding) { - memcpy(dest, block, MY_AES_BLOCK_SIZE); - if (remaining_bytes!=0) { - /* Note that we have moved dest and source */ - memcpy(dest + MY_AES_BLOCK_SIZE, source + MY_AES_BLOCK_SIZE, remaining_bytes); - } - *dest_length = MY_AES_BLOCK_SIZE * num_blocks + remaining_bytes; - return AES_OK; - } - - /* Use last char in the block as size */ - uint pad_len = (uint) (uchar) block[MY_AES_BLOCK_SIZE - 1]; - - if (pad_len > MY_AES_BLOCK_SIZE) - return AES_BAD_DATA; - /* We could also check whole padding but we do not really need this */ - - memcpy(dest, block, MY_AES_BLOCK_SIZE - pad_len); - *dest_length = MY_AES_BLOCK_SIZE * num_blocks - pad_len; - return AES_OK; -#elif defined(HAVE_OPENSSL) - MyCipherCtx ctx; - int u_len, f_len; - - const EVP_CIPHER* cipher; - switch(key_length) { - case 16: - cipher = EVP_aes_128_cbc(); - break; - case 24: - cipher = EVP_aes_192_cbc(); - break; - case 32: - cipher = EVP_aes_256_cbc(); - break; - default: - return AES_BAD_KEYSIZE; - } - //Initialize Encryption Engine here, default software Engine is default - ENGINE *engine = NULL; - - if (! EVP_DecryptInit_ex(&ctx.ctx, cipher, engine, key, iv)) - return AES_BAD_DATA; /* Error */ - if (noPadding) { - EVP_CIPHER_CTX_set_padding(&ctx.ctx, 0); - } - OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx.ctx) == key_length); - OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx.ctx) == iv_length); - OPENSSL_assert(EVP_CIPHER_CTX_block_size(&ctx.ctx) == 16); - if (! EVP_DecryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len, - (unsigned char *)source, source_length)) - return AES_BAD_DATA; /* Error */ - if (! EVP_DecryptFinal_ex(&ctx.ctx, (unsigned char *) dest + u_len, &f_len)) { - *dest_length = (unsigned long int) u_len; - return AES_BAD_DATA; - } - if (remaining_bytes!=0) { - memcpy(dest + source_length, source + source_length, remaining_bytes); - } - *dest_length = (unsigned long int) (u_len + f_len) + remaining_bytes; -#endif - return AES_OK; -} - -/** - AES decryption - ECB mode - - SYNOPSIS - my_aes_decrypt_ecb() - @param source [in] Pointer to data to decrypt - @param source_length [in] Size of data - @param dest [out] Buffer to place decrypted data (must be large enough) - @param dest_length [out] Pointer to size of decrypted data - @param key [in] Key to be used for decryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set to true, no padding is used. if the input length is not a - multiple of the AES block size, trailing bytes are only copied to destination buffer. - This allows currently the same interface for CBC, ECB and CTR encryption. - - @return - != 0 error - 0 no error -*/ - -static int my_aes_decrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32 *dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - uint8 remaining_bytes = (noPadding == 0) ? 0 : source_length % MY_AES_BLOCK_SIZE; - source_length = source_length - remaining_bytes; - - -#ifdef HAVE_YASSL - TaoCrypt::AES_ECB_Decryption dec; - /* 128 bit block used for padding */ - uint8 block[MY_AES_BLOCK_SIZE]; - uint num_blocks; /* Number of complete blocks */ - int i; - switch(key_length) { - case 16: - break; - case 24: - break; - case 32: - break; - default: - return AES_BAD_KEYSIZE; - } - - dec.SetKey((const TaoCrypt::byte *) key, key_length, iv); - - num_blocks = source_length / MY_AES_BLOCK_SIZE; - - if ((source_length != num_blocks * MY_AES_BLOCK_SIZE) || num_blocks == 0 ) - /* Input size has to be even and at least one block */ - return AES_BAD_DATA; - - /* Decode all but last blocks */ - for (i = num_blocks - 1; i > 0; i--) - { - dec.Process((TaoCrypt::byte *) dest, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - source += MY_AES_BLOCK_SIZE; - dest += MY_AES_BLOCK_SIZE; - } - - dec.Process((TaoCrypt::byte *) block, (const TaoCrypt::byte *) source, - MY_AES_BLOCK_SIZE); - - if (noPadding) { - memcpy(dest, block, MY_AES_BLOCK_SIZE); - if (remaining_bytes!=0) { - /* Note that we have moved dest and source */ - memcpy(dest + MY_AES_BLOCK_SIZE, source + MY_AES_BLOCK_SIZE, remaining_bytes); - } - *dest_length = MY_AES_BLOCK_SIZE * num_blocks + remaining_bytes; - return AES_OK; - } - - /* Use last char in the block as size */ - uint pad_len = (uint) (uchar) block[MY_AES_BLOCK_SIZE - 1]; - - if (pad_len > MY_AES_BLOCK_SIZE) - return AES_BAD_DATA; - /* We could also check whole padding but we do not really need this */ - - memcpy(dest, block, MY_AES_BLOCK_SIZE - pad_len); - *dest_length = MY_AES_BLOCK_SIZE * num_blocks - pad_len; - return AES_OK; -#elif defined(HAVE_OPENSSL) - MyCipherCtx ctx; - int u_len, f_len; - - const EVP_CIPHER* cipher; - switch(key_length) { - case 16: - cipher = EVP_aes_128_ecb(); - break; - case 24: - cipher = EVP_aes_192_ecb(); - break; - case 32: - cipher = EVP_aes_256_ecb(); - break; - default: - return AES_BAD_KEYSIZE; - } - //Initialize Encryption Engine here, default software Engine is default - ENGINE *engine = NULL; - - if (! EVP_DecryptInit_ex(&ctx.ctx, cipher, engine, key, iv)) - return AES_BAD_DATA; /* Error */ - if (noPadding) { - EVP_CIPHER_CTX_set_padding(&ctx.ctx, 0); - } - OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx.ctx) == key_length); - // ECB does not use IV - OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx.ctx) == 0); - OPENSSL_assert(EVP_CIPHER_CTX_block_size(&ctx.ctx) == 16); - if (! EVP_DecryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len, - (unsigned char *)source, source_length)) - return AES_BAD_DATA; /* Error */ - if (! EVP_DecryptFinal_ex(&ctx.ctx, (unsigned char *) dest + u_len, &f_len)) { - *dest_length = (unsigned long int) u_len; - return AES_BAD_DATA; - } - if (remaining_bytes!=0) { - memcpy(dest + source_length, source + source_length, remaining_bytes); - } - *dest_length = (unsigned long int) (u_len + f_len) + remaining_bytes; - -#endif - return AES_OK; -} - - - - - -/** Encryption interface that doesn't do anything (for testing) SYNOPSIS diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc index f1356523f90..2b9bfedb08c 100644 --- a/mysys_ssl/my_crypt.cc +++ b/mysys_ssl/my_crypt.cc @@ -1,14 +1,29 @@ /* + Copyright (c) 2014 Google Inc. + Copyright (c) 2014, 2015 MariaDB Corporation + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +/* TODO: add support for YASSL */ #include <my_global.h> #include <my_crypt.h> -/* YASSL doesn't support EVP_CIPHER_CTX */ #ifdef HAVE_EncryptAes128Ctr -#include "mysql.h" #include <openssl/evp.h> #include <openssl/aes.h> @@ -17,67 +32,119 @@ static const int CRYPT_DECRYPT = 0; C_MODE_START -static int do_crypt(const EVP_CIPHER *cipher, int mode, +static int do_crypt(const EVP_CIPHER *cipher, int encrypt, const uchar* source, uint32 source_length, uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, int no_padding) { - int res= AES_OPENSSL_ERROR; + int res= AES_OPENSSL_ERROR, fin; + int tail= no_padding ? source_length % MY_AES_BLOCK_SIZE : 0; + EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(&ctx); - if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, mode)) + if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) goto err; - if (!EVP_CipherUpdate(&ctx, dest, (int*)dest_length, source, source_length)) + + EVP_CIPHER_CTX_set_padding(&ctx, !no_padding); + + DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == key_length); + DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == iv_length || !EVP_CIPHER_CTX_iv_length(&ctx)); + DBUG_ASSERT(EVP_CIPHER_CTX_block_size(&ctx) == MY_AES_BLOCK_SIZE || !no_padding); + + if (!EVP_CipherUpdate(&ctx, dest, (int*)dest_length, source, source_length - tail)) goto err; + if (!EVP_CipherFinal_ex(&ctx, dest + *dest_length, &fin)) + goto err; + *dest_length += fin; + + if (tail) + { + /* + Not much we can do here, block cyphers cannot encrypt data that aren't + a multiple of the block length. At least not without padding. + What we do here, we XOR the tail with the previous encrypted block. + */ + + DBUG_ASSERT(source_length - tail == *dest_length); + DBUG_ASSERT(source_length - tail > MY_AES_BLOCK_SIZE); + const uchar *s= source + source_length - tail; + const uchar *e= source + source_length; + uchar *d= dest + source_length - tail; + const uchar *m= (encrypt ? d : s) - MY_AES_BLOCK_SIZE; + while (s < e) + *d++ = *s++ ^ *m++; + *dest_length= source_length; + } + res= AES_OK; err: EVP_CIPHER_CTX_cleanup(&ctx); return res; } +/* CTR is a stream cypher mode, it needs no special padding code */ int my_aes_encrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) { return do_crypt(EVP_aes_128_ctr(), CRYPT_ENCRYPT, source, source_length, - dest, dest_length, key, key_length, iv, iv_length, noPadding); + dest, dest_length, key, key_length, iv, iv_length, 0); } int my_aes_decrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) { return do_crypt(EVP_aes_128_ctr(), CRYPT_DECRYPT, source, source_length, - dest, dest_length, key, key_length, iv, iv_length, noPadding); + dest, dest_length, key, key_length, iv, iv_length, 0); } int my_aes_encrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) { return do_crypt(EVP_aes_128_ecb(), CRYPT_ENCRYPT, source, source_length, - dest, dest_length, key, key_length, iv, iv_length, noPadding); + dest, dest_length, key, key_length, iv, iv_length, no_padding); } int my_aes_decrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) { return do_crypt(EVP_aes_128_ecb(), CRYPT_DECRYPT, source, source_length, - dest, dest_length, key, key_length, iv, iv_length, noPadding); + dest, dest_length, key, key_length, iv, iv_length, no_padding); +} + +int my_aes_encrypt_cbc(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) +{ + return do_crypt(EVP_aes_128_cbc(), CRYPT_ENCRYPT, source, source_length, + dest, dest_length, key, key_length, iv, iv_length, no_padding); +} + +int my_aes_decrypt_cbc(const uchar* source, uint32 source_length, + uchar* dest, uint32* dest_length, + const uchar* key, uint8 key_length, + const uchar* iv, uint8 iv_length, + uint no_padding) +{ + return do_crypt(EVP_aes_128_cbc(), CRYPT_DECRYPT, source, source_length, + dest, dest_length, key, key_length, iv, iv_length, no_padding); } C_MODE_END diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 9f8315a8016..f4602fa7fdc 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -212,6 +212,7 @@ fil_crypt_get_key(byte *dst, uint* key_length, mutex_enter(&crypt_data->mutex); if (!page_encrypted) { + *key_length = get_encryption_key_size(version); // Check if we already have key for (uint i = 0; i < crypt_data->key_count; i++) { if (crypt_data->keys[i].key_version == version) { diff --git a/storage/xtradb/fil/fil0crypt.cc b/storage/xtradb/fil/fil0crypt.cc index 9f8315a8016..f4602fa7fdc 100644 --- a/storage/xtradb/fil/fil0crypt.cc +++ b/storage/xtradb/fil/fil0crypt.cc @@ -212,6 +212,7 @@ fil_crypt_get_key(byte *dst, uint* key_length, mutex_enter(&crypt_data->mutex); if (!page_encrypted) { + *key_length = get_encryption_key_size(version); // Check if we already have key for (uint i = 0; i < crypt_data->key_count; i++) { if (crypt_data->keys[i].key_version == version) { |